10.2 Configuring User Identification Methods

Three methods exist for you to identify users from a trusted identity provider. You can authenticate users by using the default authentication contract, match existing user accounts, or create new account with user provisioning. If there are problems during provisioning, you see error messages with more information.

10.2.1 Selecting a User Identification Method

  1. In the Administration Console, click Access Manager > Identity Servers > Servers > Edit > Liberty [or SAML 2.0] > [Identity Provider] > Access > Authentication.

  2. Enable Allow before authentication, then configure user provisioning or account matching as necessary as described below.

    User authentication

    The system displays the following options on the Authentication page under User Identification Methods. These options are used to further configure how the service provider can authenticate an unrecognized user.

    Authenticate user with default contract: Executes the default authentication contract.

    • Allow User Provisioning on login page: Provides a button that the user can click to create an account.

      If you are a service provider using Active Directory, ensure that Active Directory is configured to use a secure port, such as 636, and that the user’s password conforms to the complexity policy. If you encounter a provisioning error, you must reset the password on the Windows* machine.

    Automatically provision unknown users: Enables a service provider to trust unknown users that have authenticated to the trusted identity provider. User provisioning is used when no user account for federation exists at the service provider.

    You must click User Provisioning Method to define user provisioning. See Section 10.2.3, Defining the User Provisioning Method.

    Match existing user accounts: Enables account matching. The service provider can uniquely identify a user in its directory by obtaining specific user attributes sent by the trusted identity provider.

    You must click User Matching Method to define the match method. See Section 10.2.2, Configuring the User Matching Method.

    • Prompt for password on successful match: (Optional) Specifies whether to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.

  3. Click OK.

  4. Click OK on the Trusted Providers page.

  5. Click Update Servers on the Servers page.

10.2.2 Configuring the User Matching Method

If you enabled the Match existing user account option when selecting an identification method, you must configure the matching method.

Before you begin, enable the Liberty Personal Profile. See Section 12.2, Enabling Web Services and Profiles.

  1. In the Administration Console, click Access Manager > Identity Servers > Servers > Edit > Liberty [or SAML 2.0] > [Identity Provider Name] > Access > Authentication.

  2. Click Allow before authentication.

  3. Click Match existing user account.

  4. Click User Matching Method.

    User matching method

  5. Select and arrange the user stores you want to use.

  6. Set the matching expression as the default, or click New to create a look-up expression. See Section 7.3, Configuring User Matching Expressions.

  7. Specify what action to take if no match is found.

    You perform account matching before user provisioning, in order to prevent the creation of multiple accounts for one user. If no match is found, you can specify whether to:

    • Do nothing

    • Prompt the user for authentication

    • Automatically provision the user account

  8. Click Finish.

  9. On the Authentication page, click OK.

  10. On the Trusted Providers page, click OK.

  11. On the Servers page, click Update Servers to update the Identity Server configuration.

10.2.3 Defining the User Provisioning Method

If you enabled Automatically provision unknown users when selecting an identification method, you must define the user provisioning method. This procedure involves selecting required and optional attributes that the service provider requests from the identity provider during provisioning.

Attribute Considerations

When a user object is created in the directory, some attributes are initially created with the value of NAM Generated. Afterwards, an attempt is made to write the required and optional attributes to the new user object. Because required and optional attributes are profile attributes, the system checks the write policy for the profile’s Data Location Settings (specified in Liberty > Web Service Provider) and writes the attribute in either LDAP or the configuration store. In order for the LDAP write to succeed, each attribute must be properly mapped as an LDAP Attribute. Additionally, you must enable the read/write permissions for each attribute in the Liberty/LDAP attribute maps. See Section 12.9, Mapping LDAP and Liberty Attributes.

To configure user provisioning:

  1. In the Administration Console, click Access Manager > Identity Servers > Servers > Edit > Liberty [or SAML 2.0] > [Identity Provider] > Access > Authentication.

  2. Click Allow before authentication, then click User Provisioning method.

    Select required attributes

  3. Select the required attributes from the Available Attributes list and move them to the Attributes list.

    Required attributes are those used in the creation of a user name, or that are required when creating the account.

  4. Click Next.

  5. Select optional attributes from the Available Attributes list and move them to the Attributes list.

    This step is similar to selecting required attributes. However, the user provisioning request creates the user account whether or not optional attributes exist on the service provider.

  6. Click Next.

  7. Define how to create the username.

    Define user name

    You can specify whether users are prompted to create their own usernames or whether the system automatically creates usernames. Selecting an attribute for the username segments from the required attributes list improves the chances that a new username is successfully created.

    Maximum length: The maximum length of the user name. This value must be between 1 and 50.

    Prompt for user name: Enables users to create their own usernames.

    Automatically create user name: Specifies that the system creates usernames. You can configure the segments for the system to use when creating usernames and configure how the names are displayed.

    For example, if you are using the required attributes of Common First Name and Common Last Name, a username for Adam Smith might be generated as A.Smith_02, as shown in the following illustration:

    Use the following settings to specify how this is accomplished:

    • Segment 1: The required attribute to use as the first segment for the user name. The values displayed in this drop-down menu correspond to the required attributes you selected. For example, you might select Common First Name to use for Segment 1.

    • Length: The length of the first attribute segment. For example, if you selected Common First Name for the Segment 1 value, setting the length to 1 specifies that the system uses the first letter of the Common First Name attribute. Therefore, Adam Smith would be ASmith.

    • Junction: The type of junction to use between the attributes of the user name, such as no space, or a hyphen, or a period. Adam Smith would display as A.Smith.

    • Segment 2: The required attribute to use as the second segment for the user name. The values displayed in this drop-down menu correspond to the required attributes you selected. For example, you might select Common Last Name to use for Segment 2.

    • Length: The length of the second attribute segment. For example, if you selected Common Last Name for the Segment 2 value, you might set the length to All, so that the full last name is displayed. However, the system does not allow more than 20 characters for the length of segment 2.

    • Ensure name is unique: Applies a suffix to the colliding name until a unique name is found, if using attributes causes a collision with an existing name. If no attributes are provided, or the lengths for them are 0, and this option is selected, the system creates a unique name.

  8. Click Next.

  9. Specify password settings.

    User account password

    Use this page to specify whether to prompt the user for a password or to create a password automatically.

    Min. password length: The minimum length of the password.

    Max. password length: The maximum length of the password.

    Prompt for password: Prompts the user for a password.

    Automatically create password: Specifies whether to automatically create passwords.

  10. Click Next.

  11. Specify the user store and context in which to create the account.

    Provisioning user store

    User Store: The user store in which to create the new user account.

    Context: The context in the user store you want accounts created.

    The system creates the user within a specific context; however, uniqueness is not guaranteed across the directory.

    Delete user provisioning accounts if federation is terminated: Specifies whether to automatically delete the provisioned user account at the service provider if the user terminates his or her federation between the identity provider and service provider.

  12. Click Finish.

  13. On the Authentication page, click OK.

  14. On the Trusted Providers page, click OK.

  15. On the Servers page, click Update Servers to update the Identity Server configuration.

10.2.4 User Provisioning Error Messages

The following error messages are displayed for the end user if there are problems during provisioning.

Table 10-1 Provisioning Error Messages

Error Message

Cause

 
Username length cannot exceed (?) characters.

The user entered more characters for a user name than is allowed, as specified by the administrator.

 
Username is not available.

The user entered a name that already exists in the directory.

 
Passwords don’t match.

The user provided two password values that do not match.

 
Passwords must be between (x) and (y) characters in length.

The user provided password values that are either too short or too long.

 
Username unavailable.

The provisioned user account was deleted without first defederating the user. Remove orphaned identity objects from the configuration datastore.

IMPORTANT:Only experienced LDAP users should remove orphaned identity objects from the configuration datastore. You must ensure that the objects you are removing are orphaned. Otherwise, you create orphaned objects by mistake.

 
Unable to complete authentication request.

Can occur when users are allowed to create accounts from a service provider’s login page, when the service provider uses Active Directory for the user store.

The password provided does not conform to the Windows password complexity policy in Active Directory. Ensure that Active Directory is configured to use a secure port, such as 636, and that the user’s password conforms to the complexity policy. If you encounter this error, you must reset the password on the Windows* machine.